Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 17 Oct 2012 11:44:35 +0200
From: Fabian Keil <freebsd-listen@...iankeil.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ruby file creation due in insertion
 of illegal NUL character

Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:

> On 10/16/2012 08:40 AM, Matthias Weckbecker wrote:
> > Technically, this would also apply to Perl (at least with 5.12.3). 
> 
> It's also the case with perl 5.14.2 (just tested). :/

At least for Perl I consider this a feature.

The NUL byte is a special character and allows trailing white
space in the filename that is otherwise stripped. This is
(more or less) documented in perlopentut(1).

It also seems unlikely that someone adds NUL bytes to the
white list of acceptable characters by accident, and if there
is no white list in the first place, the Perl script probably
has bigger issues.

Fabian

Download attachment "signature.asc" of type "application/pgp-signature" (197 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.